Anyone who has an idea on how I can introduce reCAPTCHA into my reference application login to share with me the steps. Can this be accomplished in a module or some changes need to be done to the core? @dkayiwa @raff @darius @ssmusoke @mksd
Hi @ningosi
Good idea for the Reference application login.
Actually, Most of the login portals used this reCAPTCHA to verify the user requests from the suspicious actions. If someone tried to ping the login REST endpoint continuously through a program/script, then the server routing will be collapsed and most of the routings will be served to that request. So other users might not get the login screen to continue their work.We need to block this continue requests to the servers and make sure the server routines are working properly and equally to the users. In this case, there are some common ideas which can prevent this issues,
- Set the Maximum try quota for a given time limit. If the user exceeds that limit for the API Request, then the API requests will be terminated from the client side (5 requests within 1 min) - The User need to wait until the time quota
- Apply the reCAPTCHA after some failed of login attempts (3 or 5). So the user needs to complete that one to send the login API Request to the backend. (We can do this checking on client side or server side) - The user does not need to wait for the time quota
- Apply the reCAPTCHA for all login requests. Some vendors kept this idea, and they requested the reCAPTCHA for all login attempts. But surely it will affect the usability and the regular login attempts.
So for the Reference application, I hope the step 2 will be a good addition. We can consider this implementation in two types,
- We can keep the login attempts information on the client side session or local variables, and if the failed login attempts between a given time gap exceeded the quota, then we can prevent the REST calls from the client side. (If the quota is 5 login attempts within 1 min). But the problem is it will work only for the browsers. We can implement this for other REST service vendors.
- We can keep the login REST request information on separate backend side (separate from the Login REST resources). So every login REST requests will be routed through this attempt checking middleware and it will block and resend to the client side if the login attempts quota exceeded. So then the login screens will ask for reCAPTCHA to send the login REST requests to the server. If the reCAPTCHA values are correct, then the attempt checking middleware will allow the request to Login checking resources.
You can get more information from the Google reCAPTCHA developer guide.
These are just my understanding about the reCAPTCHA. Other suggestions and comments are welcome to improve this one 
1 Like
Thank you for quick response. Before posting this, I did some random reading and saw Google reCaPTCHA, I wonder if that could work on offline servers(Not connected to the internet)
Ohh, So we need some offline reCaPTCHA solutions. Have you seen this http://simplecaptcha.sourceforge.net/ ? It is an Open source implementation for Java based reCaPTCHA offlice requirments